research-article

Open access

Control Effectiveness: a Capture-the-Flag Study

Authors:

Alastair Janse van Rensburg,

Ioannis Agrafiotis,

Michael Goldsmith,

Sadie CreeseAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 87, Pages 1 - 10

https://doi.org/10.1145/3465481.3470095

Published: 17 August 2021 Publication History

All formats PDF

Abstract

As cybersecurity breaches continue to increase in number and cost, and the demand for cyber-insurance rises, the ability to reason accurately about an organisation’s residual risk is of paramount importance. Security controls are integral to risk practice and decision-making: organisations deploy controls in order to reduce their risk exposure, and cyber-insurance companies provide coverage to these organisations based on their cybersecurity posture. Therefore, in order to reason about an organisation’s residual risk, it is critical to possess an accurate understanding of the controls organisations have in place and of the influence that these controls have on the likelihood that organisations will be harmed by a cyber-incident. Supporting evidence, however, for the effectiveness of controls is often lacking. With the aim of enriching internal threat data, in this article we explore a practical exercise in the form of a capture-the-flag (CTF) study. We experimented with a set of security controls and invited four professional penetration testers to solve the challenges. The results indicate that CTFs are a viable path for enriching threat intelligence and examining security controls, enabling us to begin to theorise about the relative effectiveness of certain risk controls on the face of threats, and to provide some recommendations for strengthening the cybersecurity posture.

References

[1]

2013. ISO/IEC 27002 Code of practice for information security controls. https://www.iso27001security.com/html/27002.html [accessed on 25/05/2021].

[2]

Ioannis Agrafiotis, Sadie Creese, Michael Goldsmith, Jason RC Nurse, and David Upton. 2016. The Relative Effectiveness of widely used Risk Controls and the Real Value of Compliance. (2016).

[3]

Ioannis Agrafiotis, Jason RC Nurse, Michael Goldsmith, Sadie Creese, and David Upton. 2018. A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate. Journal of Cybersecurity 4, 1 (2018), tyy006.

[4]

AuditScripts. 2018. AuditScripts Critical Security Controls. URL: https://www.auditscripts.com/ [accessed on 25/05/2021].

[5]

Louise Axon, Arnau Erola, Ioannis Agrafiotis, Michael Goldsmith, and Sadie Creese. 2019. Analysing cyber-insurance claims to design harm-propagation trees. In 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA). IEEE.

[6]

Francesco Buccafurri, Lidia Fotia, Angelo Furfaro, Alfredo Garro, Matteo Giacalone, and Andrea Tundis. 2015. An Analytical Processing Approach to Supporting Cyber Security Compliance Assessment. In Proceedings of the 8th International Conference on Security of Information and Networks. ACM, 46–53.

Digital Library

[7]

National Cyber Security Centre. 2014. Cyber Essentials. https://www.cyberessentials.ncsc.gov.uk/ [accessed on 25/05/2021].

[8]

National Cyber Security Centre. 2021. 10 Steps to Cyber Security. https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security[accessed on 25/05/2021].

[9]

Constanze Dietrich, Katharina Krombholz, Kevin Borgolte, and Tobias Fiebig. 2018. Investigating System Operators’ Perspective on Security Misconfigurations. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1272–1289.

Digital Library

[10]

Center for Internet Security. 2015. A Measurement Companion to the CIS Critical Security Controls. URL: https://www.cisecurity.org/white-papers/a-measurement-companion-to-the-cis-critical-controls/[accessed 25/05/2021].

[11]

SANS/Center for Internet�Security. 2021. 20 Critical security controls. https://www.cisecurity.org/controls/ [accessed on 25/05/2021].

[12]

ISACA. 2021. COBIT 5. https://www.isaca.org/cobit/ [accessed on 25/05/2021].

[13]

Dorene L Kewley and Julie F Bouchard. 2001. DARPA information assurance program dynamic defense experiment summary. IEEE Transactions on Systems, Man, and Cybernetics-Part A: Systems and Humans 31, 4 (2001), 331–336.

Digital Library

[14]

Dorene L Kewley and John Lowry. 2001. Observations on the effects of defense in depth on adversary behavior in cyber warfare. In Proceedings of the IEEE SMC Information Assurance Workshop. Citeseer, 1–8.

[15]

Nigel King. 1998. Template analysis. Qualitative Methods and Analysis in Organisational Research: A Practical Guide (1998).

[16]

Marsh. 2019. Global Cyber Risk Perception Survey Report. https://www.marsh.com/uk/insights/research/marsh-microsoft-cyber-survey-report-2019.html[accessed on 25/05/2021].

[17]

Jelena Mirkovic, Peter Reiher, Christos Papadopoulos, Alefiya Hussain, Marla Shepard, Michael Berg, and Robert Jung. 2008. Testing a collaborative DDoS defense in a red team/blue team exercise. IEEE Trans. Comput. 57, 8 (2008), 1098–1112.

Digital Library

[18]

National Institute of Standards and Technology. 2018. Cybersecurity Framework. https://www.nist.gov/cyberframework [accessed on 25/05/2021].

[19]

Jane Ritchie, Jane Lewis, Carol McNaughton Nicholls, Rachel Ormston, 2013. Qualitative research practice: A guide for social science students and researchers. sage.

[20]

Accenture Security. 2019. The Cost of Cybercrime. https://www.accenture.com/_acnmedia/pdf-96/accenture-2019-cost-of-cybercrime-study-final.pdf[accessed on 25/05/2021].

[21]

Teodor Sommestad and Jonas Hallberg. 2012. Cyber security exercises and competitions as a platform for cyber security experiments. In Nordic Conference on Secure IT Systems. Springer, 47–60.

Digital Library

[22]

Teodor Sommestad and Fredrik Sandström. 2015. An empirical test of the accuracy of an attack graph analysis tool. Information & Computer Security 23, 5 (2015), 516–531.

[23]

Jose M Such, John Vidler, Timothy Seabrook, and Awais Rashid. 2015. Cyber security controls effectiveness: a qualitative assessment of cyber essentials. Lancaster University.

[24]

Daniel Woods, Ioannis Agrafiotis, Jason RC Nurse, and Sadie Creese. 2017. Mapping the coverage of security controls in cyber insurance proposal forms. Journal of Internet Services and Applications 8, 1(2017), 8.

[25]

Daniel Woods and Andrew Simpson. 2017. Policy measures and cyber insurance: a framework. Journal of Cyber Policy 2, 2 (2017), 209–226.

Cited By

Chindrus CCaruntu C(2022)Development and Testing of a Core System for Red and Blue Scenario in Cyber Security Incidents2022 15th International Conference on Security of Information and Networks (SIN)10.1109/SIN56466.2022.9970546(1-7)Online publication date: 11-Nov-2022
https://doi.org/10.1109/SIN56466.2022.9970546

Recommendations

Practitioners’ Views on Cybersecurity Control Adoption and Effectiveness
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Cybersecurity practitioners working in organisations implement risk controls aiming to improve the security of their systems. Determining prioritisation of the deployment of controls and understanding their likely impact on overall cybersecurity ...
A Capture The Flag (CTF) Platform and Exercises for an Intro to Computer Security Class
ITiCSE '22: Proceedings of the 27th ACM Conference on on Innovation and Technology in Computer Science Education Vol. 2

Cybersecurity education is becoming increasingly important as demand for cybersecurity professionals increases. Hands-on skills are a critical component of cybersecurity education, and a variety of exercise types have been developed to teach these ...
Capture the Flag Unplugged: an Offline Cyber Competition
SIGCSE '17: Proceedings of the 2017 ACM SIGCSE Technical Symposium on Computer Science Education

In order to meet the cybersecurity workforce demand, it is important to raise cybersecurity interest among the youth. Just like ACM programming competitions, Capture the Flag (CTF) competitions allow students to learn cybersecurity skills in a fun and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright � 2021 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
673
Total Downloads

Downloads (Last 12 months)267
Downloads (Last 6 weeks)50

Reflects downloads up to 17 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chindrus CCaruntu C(2022)Development and Testing of a Core System for Red and Blue Scenario in Cyber Security Incidents2022 15th International Conference on Security of Information and Networks (SIN)10.1109/SIN56466.2022.9970546(1-7)Online publication date: 11-Nov-2022
https://doi.org/10.1109/SIN56466.2022.9970546

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents